The rise of spear phishing in 2016

Posted On February 1, 2017

Our second article in our look back over 2016 series brings us to the bane of IT Managers’ lives – Spear Phishing.
2016 saw an alarming shift from broad based spam attacks to targeted email based phishing campaigns – why?

Because spear phishing works!

Some of the most notorious cyber-attacks in the past year have started with just one member of staff unknowingly clicking on a spear phishing email.

What is spear phishing?

An email arrives in the inbox of a member of the Finance Team, such as the Finance Manager. It appears to come from a senior staff member such as the Head of Finance or the Managing Director. Spear phishing emails contain enough detail to convince the recipient that the email is legitimate. It will come up in your email client as being from Bob Jones – your MD. It will contain some form of personal information. It will often come at a time when your MD is on holiday or out of the office and to question his instructions could be very awkward. It will have your official company email signature and so on. To even the most suspicious eyes it will appear like any normal email. It is only if you delve a little deeper into what is going on that you may start to question it.

How to protect yourself from spear phishing

Today, organisations need an email security solution that detects and blocks advanced targeted campaigns involving spear phishing, the harvesting of credentials or the impersonation of legitimate senders. But unfortunately technology alone is not going to stop all spear phishing emails.

We talk about it time and again, but you need to educate your colleagues about the dangers of spear phishing and phishing. You don’t do this once, during their induction, you need to remind them constantly. You should be organising little workshops for senior staff – train them to question anything out of the ordinary. Arm them with the knowledge they need to understand how they may be tricked. They should learn to question anything out of the ordinary.

If a new bank account or payee is in play, there needs to be some kind of two factor authentication, so yes your supplier has emailed you to say ‘please pay me to this new bank account’ BUT you should also pick up the phone and confirm with them – get their number from their website, not the email footer.

Make sure you understand your email security software, how it works, added features that come with the package but which might not be switched on. Talk to their Support Teams regularly about what you should be setting up on the system to protect your users and your network.

That’s it for spear phishing, our next article will tackle how phishing emails are being used to deliver ransomware to businesses.